Your message dated Sun, 27 May 2012 21:20:01 +0000
with message-id <e1syksb-0004yh...@franck.debian.org>
and subject line Bug#661061: fixed in pastescript 1.7.5-2
has caused the Debian Bug report #661061,
regarding python-paste-script: Supplementary groups not dropped when started an
application with "paster serve" as root
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
661061: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661061
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-pastescript
Version: 1.7.5-1
Severity: grave
Tags: security patch
Hello,
below is a (shortened) report about a vulnerability in python-pastescript. As
far as I can see we are affected by this.
Kind regards
Nico
----- Forwarded message from Jan Lieskovsky <jlies...@redhat.com> -----
Hello Kurt, Steve, vendors,
a security flaw was found in the way Paster, a pluggable command-line
frontend,
when started as root (for example to have access to privileged port) to serve a
web based application, performed privileges dropping upon startup
(supplementary groups were not dropped properly regardless of the UID, GID
specified in the .ini configuration file or in the --user and --group CL
arguments). A remote attacker could use this flaw for example to read / write
root GID accessible files, if the particular web application provided remote
means for local file manipulation.
Credit / Issue Reported by: Clay Gerrard
References:
[1]
http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471
[2] https://bugzilla.redhat.com/show_bug.cgi?id=796790
Patch proposed by the issue reporter:
[3]
https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve
Upstream patch:
[4] https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
----- End forwarded message -----
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
pgpZFJnpplqbh.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: pastescript
Source-Version: 1.7.5-2
We believe that the bug you reported is fixed in the latest version of
pastescript, which is due to be installed in the Debian FTP archive:
pastescript_1.7.5-2.debian.tar.gz
to main/p/pastescript/pastescript_1.7.5-2.debian.tar.gz
pastescript_1.7.5-2.dsc
to main/p/pastescript/pastescript_1.7.5-2.dsc
python-pastescript_1.7.5-2_all.deb
to main/p/pastescript/python-pastescript_1.7.5-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 661...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <pi...@debian.org> (supplier of updated pastescript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 May 2012 21:57:31 +0200
Source: pastescript
Binary: python-pastescript
Architecture: source all
Version: 1.7.5-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <pi...@debian.org>
Changed-By: Piotr Ożarowski <pi...@debian.org>
Description:
python-pastescript - serving web applications, creating file layouts for
Python packag
Closes: 661061 671318
Changes:
pastescript (1.7.5-2) unstable; urgency=high
.
[ Luk Claes ]
* Fix CVE-2012-0878 by dropping supplementary groups (closes: #661061).
.
[ Piotr Ożarowski ]
* Add versioned dependency on python-pastedeploy (the first one that uses
dh_python2)
* Remove egg-info data in clean target to allow building twice in a row
(closes: #671318)
* Standards-Version bumped to 3.9.3 (no changes needed)
Checksums-Sha1:
4283843b8751097a0ade7c632d0989d3ab40730c 2135 pastescript_1.7.5-2.dsc
f34ec4553e5cb0033e6bb8d725a4ac7c40a401ea 9062 pastescript_1.7.5-2.debian.tar.gz
eef6c9bc2e0e059c6cf1b20a6b69717c55b00610 132290
python-pastescript_1.7.5-2_all.deb
Checksums-Sha256:
e31e3182163193b244f075f8ef6eb0d059d2de1cecba0f8d467024d3f4fcb7c3 2135
pastescript_1.7.5-2.dsc
f4fcae0f8912a14b16709f056138f6fec22da413b6ddbc392ee4d388b8ddc834 9062
pastescript_1.7.5-2.debian.tar.gz
f333b53375d95f0bc26116329499e3c353c7be0ac3ea5b1e2b13027ba9407407 132290
python-pastescript_1.7.5-2_all.deb
Files:
bbca9a6fbfa6fddefe73794dce944488 2135 python optional pastescript_1.7.5-2.dsc
fb0d2971c740c05bd4d56577d38bb93d 9062 python optional
pastescript_1.7.5-2.debian.tar.gz
3cabc82ec9e05d76dba567387023a10e 132290 python optional
python-pastescript_1.7.5-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPwomTAAoJEK728aKnRXZF2l8P/iEJED0sPExLFTVYLVkXIpkZ
/czjzL+jg61aDGeRP0966zYydA9keGT24t05UcnK0oOQfa+lq4E/XJ9eVsT1RKDv
/nSHQJFQ1sINE7aEQ4vp7o7KQ51ZHRq2GcPMPpBBrHdyUEHR+zI1gmphbq4FqgOL
uo6t5SGseGmWInE9yga//uVZcQptQZSNveaDYGwuV09LK7N3tE6OXL4zy679WO4V
zz4dpEF/KjDWheGKNGWnR/M7ywzBX+lddBbEm9dkX+usFhaHFPKQm4hL7uUO4QcV
gOy9yiL5Sw32i8ShFMiTvuFzgu5BPD6kE8zHKn6I4rCg/5kmJoXNa9q7ro71BL18
iUOo1S9kUIp5OFZ+FD8jmDVpwMfkZlulkKUIDZmEOnBsweS6YzrNNnJVTNzcA5JK
LXROzQ1PaVz6w/eyNPQLe4TgdntxpuspUWkxNa9FyGYONPSpcq9B61la1l1Hb30W
mT4ThrWT5S58Gwb/IkI5bvihd4FSx6aeWLUpC/jRBr1F7Kjt4xYoPvIk6g9kOZgU
7Y2VlrjOMh3+tlTRjrsiZVZm77BAmslNoWGkUp+hVsMnCM1Nv5u/lfXTG/x386JU
H0BuA1VGundnEcTnxdNpSAszc+Y7wn4e0Yn2bYZan/4Hf/zYL0awVF4goKz20CY4
CgDHrhIizbVVgcg8dTr+
=3p0V
-----END PGP SIGNATURE-----
--- End Message ---
